Category Archives: Security

Hack on PS and Xbox attackers leaks DDoS customers’ plaintext passwords

It's payback time for the group that knocked the Sony PlayStation and Microsoft Xbox networks offline in December. First came the report Friday morning that a UK man was arrested in connection with the distributed denial-of-service attacks, making him at least the second person to be detained in an ongoing investigation. Now comes word the customer database Lizard Squad members maintained as part of their DDoS-for-hire service has been breached, spilling details on more than 14,241 users.

But the comeuppance doesn't end there. According to KrebsOnSecurity reporter Brian Krebs, who broke the story about the compromised database, all registered names and passwords were stored in plaintext. The cache shows that customers deposited $11,000 in bitcoins to pay for attacks on thousands of Internet addresses. The information will no doubt prove interesting to members of rival gangs and law enforcement agencies around the world.

The database was tied to LizardStresser[dot]ru, a so-called stresser or boot service ostensibly available to test a website's resistance to attacks. In the vast majority of cases, they're nothing more than fronts for DDoS services. According to Krebs, the December attacks on the PlayStation and Xbox networks were designed to be advertisements promoting the service. Given the breach that has now leaked potentially sensitive customer information that was left woefully unprotected, it's safe to assume any buzz in underground markets surrounding the LizardStresser service is over.

Read on Ars Technica | Comments

How dating app Grindr makes it easy to stalk 5 million gay men

Mobile dating apps have revolutionized the pursuit of love and sex by allowing people not only to find like-minded mates but to identify those who are literally right next door, or even in the same bar, at any given time. That convenience is a double-edge sword, warn researchers. To prove their point, they exploited weaknesses in Grindr, a dating app with more than five million monthly users, to identify users and construct detailed histories of their movements.

The proof-of-concept attack worked because of weaknesses identified five months ago by an anonymous post on Pastebin. Even after researchers from security firm Synack independently confirmed the privacy threat, Grindr officials have allowed it to remain for users in all but a handful of countries where being gay is illegal. As a result, geographic locations of Grindr users in the US and most other places can be tracked down to the very park bench where they happen to be having lunch or bar where they're drinking and monitored almost continuously, according to research scheduled to be presented Saturday at the Shmoocon security conference in Washington, DC.

Grindr officials declined to comment for this post beyond what they said in posts here and here published more than four months ago. As noted, Grindr developers modified the app to disable location tracking in Russia, Egypt, Saudi Arabia, Nigeria, Liberia, Sudan, Zimbabwe, and any other place with anti-gay laws. Grindr also locked down the app so that location information is available only to people who have set up an account. The changes did nothing to prevent the Synack researchers from setting up a free account and tracking the detailed movements of several fellow users who volunteered to participate in the experiment.

Read 8 remaining paragraphs | Comments

Google drops more Windows 0-days. Something’s gotta give

Google's security researchers have published another pair of Windows security flaws that Microsoft hasn't got a fix for, continuing the disagreement between the companies about when and how to disclose security bugs.

The first bug affects Windows 7 only and results in minor information disclosure. Microsoft says, and Google agrees, that this does not meet the threshold for a fix. Windows 8 and up don't suffer the same issue.

The second bug is more significant. In certain situations, Windows doesn't properly check the user identity when performing cryptographic operations, which results in certain shared data not being properly encrypted. Microsoft has developed a fix for this bug, and it was originally scheduled for release this past Tuesday. However, the company discovered a compatibility issue late in testing, and so the fix has been pushed to February.

Read 7 remaining paragraphs | Comments

Survey says security products waste our time

For anyone who has freaked out when an antivirus alert popped up on their screen and spent time researching it only to find out it was a false alarm, a recent survey will hit home.

A survey of information-technology professionals published on Friday found that the average large organization has to sift through nearly 17,000 malware alerts each week to find the 19 percent that are considered reliable. The efforts at triage waste employees’ time—to the tune of a total estimated annual productivity loss of $1.3 million per organization. In the end, security professionals only have time to investigate four percent of the warnings, according to the survey conducted by the market researcher Ponemon Institute.

The survey results show the problems posed by security software that alerts for any potential threat, says Brian Foster, chief technology officer of network-security firm Damballa, the sponsor of the research.

Read 9 remaining paragraphs | Comments

With crypto in UK crosshairs, secret US report says it’s vital

As UK Prime Minister David Cameron forges ahead with a campaign pledge to ban encrypted messaging apps unless his government is given backdoors, that country's Guardian newspaper has aired a secret US report warning that government and private computers were at risk because cryptographic protections aren't being implemented fast enough.

The 2009 document, from the US National Intelligence Council, said encryption was the "best defense" for protecting private data, according to an article published Thursday by the newspaper. Airing of the five-year forecast came the same day Cameron embarked on a US trip to convince President Obama to place pressure on Apple, Google, and Facebook to curtail their rollout of stronger encryption technologies in e-mail and messaging communications. According to Thursday's report:

Part of the cache given to the Guardian by Snowden, the paper was published in 2009 and gives a five-year forecast on the “global cyber threat to the US information infrastructure”. It covers communications, commercial and financial networks, and government and critical infrastructure systems. It was shared with GCHQ and made available to the agency’s staff through its intranet.

One of the biggest issues in protecting businesses and citizens from espionage, sabotage and crime – hacking attacks are estimated to cost the global economy up to $400bn a year – was a clear imbalance between the development of offensive versus defensive capabilities, “due to the slower than expected adoption … of encryption and other technologies”, it said.

An unclassified table accompanying the report states that encryption is the “[b]est defense to protect data”, especially if made particularly strong through “multi-factor authentication” – similar to two-step verification used by Google and others for email – or biometrics. These measures remain all but impossible to crack, even for GCHQ and the NSA.

The report warned: “Almost all current and potential adversaries – nations, criminal groups, terrorists, and individual hackers – now have the capability to exploit, and in some cases attack, unclassified access-controlled US and allied information systems.”

Cameron's campaign against encryption comes as the rest of the world has stepped up cryptographic protections. Both Apple and Google have added default disk encryption by default to their iPhone and Android smartphone platforms, and a growing number of companies are ensuring that links connecting data centers use strong encryption to ensure traffic can't be read by the National Security Agency or its UK counterpart, the Government Communications Headquarters. Even before the Guardian report, it was hard to envision how it would be plausible to implement restrictions as draconian as the ones the UK prime minister is proposing. Now, there's evidence that UK's staunchest ally may have cold feet, too, signalling Cameron may have an even steeper uphill battle.

Read on Ars Technica | Comments

New Year, New Cyberthreats: What’s in Store for 2015? January #SecChat

Unfortunately, the good guys aren’t the only ones with resolutions for the New Year. From cyber espionage to increasingly unforgiving ransomware, non-Windows malware to attacks on the Internet of Things—new and evolving cyberthreats are expected to surface rapidly in 2015.

Join us for a discussion of the current and upcoming cyberthreat landscape, and the ways in which we can prepare for the latest threats before they strike.

During our January #SecChat, we’ll discuss key findings and predictions from the McAfee Labs Threats Report, November 2014. Through this discussion, we hope to spark an insightful conversation around threats in the New Year, and how organizations can take action to prepare against those threats. Joining us for this #SecChat will be some of most senior threat researchers in McAfee Labs; they will provide valuable insights on their 2015 threat predictions. We look forward to your predictions as well.

Intel Security #SecChats are held in an open forum. We seek to foster conversation with participants on pressing issues facing the information security community. During the discussion, participants will have an opportunity to ask questions and contribute their own insights on the 2015 threat predictions highlighted in the McAfee Labs Threats Report. Ready to join in? Here’s what to do on January 29 at 11am PST:

  • Sign into your Twitter account at www.twitter.com.
  • Search for the #SecChat hashtag to watch the real-time stream.
  • Be sure to follow @IntelSec_Biz on Twitter, as we will tweet our questions to kick off the discussion.
  • Feel free to tweet your reactions, questions, and responses to chat topics by tagging all your tweets with the #SecChat hashtag.
  • If you have any questions prior to the chat, please tweet them to @IntelSec_Biz.

Don’t forget to mark your calendars for 11am PT on January 29th and RSVP here. We look forward to the upcoming discussion!

The post New Year, New Cyberthreats: What’s in Store for 2015? January #SecChat appeared first on McAfee.

Copyright © 2015. Powered by WordPress & Romangie Theme.